Title
r
Rafael Rodrigues Santana
05/15/2023, 8:37 PM[Securing orchest cluster]
Hello guys, we're implementing some security measures in our orchest cluster.
I was not the one that have created our deployment process in the past...
We were thinking about using AWS WAF to secure it. However, since our load balancer is of type network (layer 4), WAF is not compatible. Is there a reason for orchest to create a Network Load Balancer instead of a Application Load Balancer?
Here is our manifest:
apiVersion: v1
kind: Service
metadata:
annotations:
<http://service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout|service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout>: "60"
<http://service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled|service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled>: "true"
<http://service.beta.kubernetes.io/aws-load-balancer-ssl-cert|service.beta.kubernetes.io/aws-load-balancer-ssl-cert>: ....
<http://service.beta.kubernetes.io/aws-load-balancer-ssl-ports|service.beta.kubernetes.io/aws-load-balancer-ssl-ports>: https
<http://service.beta.kubernetes.io/aws-load-balancer-type|service.beta.kubernetes.io/aws-load-balancer-type>: nlb
<http://service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags|service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags>: environment=....
labels:
<http://app.kubernetes.io/component|app.kubernetes.io/component>: controller
<http://app.kubernetes.io/instance|app.kubernetes.io/instance>: ingress-nginx
<http://app.kubernetes.io/name|app.kubernetes.io/name>: ingress-nginx
<http://app.kubernetes.io/part-of|app.kubernetes.io/part-of>: ingress-nginx
<http://app.kubernetes.io/version|app.kubernetes.io/version>: 1.3.0
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
externalTrafficPolicy: Local
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: tohttps
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: http
selector:
<http://app.kubernetes.io/component|app.kubernetes.io/component>: controller
<http://app.kubernetes.io/instance|app.kubernetes.io/instance>: ingress-nginx
<http://app.kubernetes.io/name|app.kubernetes.io/name>: ingress-nginx
type: LoadBalancerj
Jacopo
05/16/2023, 7:53 AMHi Rafael, in principle I don't see why you couldn't go with an ALB rather than a NLB assuming the due diligence checks take place. You might have to double check the controller for any quirky behaviour around balancers (not that I know of, but I wasn't fully involved with the controller) and the logs streaming since they go through websocket
I didn't have the chance to work with WAF so I can't really help with any knowledge in that direction sadly
r
Rafael Rodrigues Santana
05/16/2023, 3:34 PMI was able to workaround this, it's an issue of the ingress-controller itself, it seems that it's not compatible (directly at least) with application load balancers, just classic and network load balancers. However, we were able to use a load balancer by changing the service type to NodePort and forwarding requests from an existing load balancer to the node port.
👏 1
j
Jacopo
05/17/2023, 6:50 AMHappy to hear you found a workaround 🙂